David Matousek released on 15 January 2007 details of an exploit that disables self-protection in Outpost Firewall Pro. Virus Bulletin published coverage of the exploit on 17 January 2007. See this link and this link for additional information.Agnitum is aware of this issue and working on a fix for users that will be available before the end of this month.
However, there is more to this story.Matousec.com, the site that announced the vulnerability, was founded by David Matoušek in March 2006 and comprises a "small group of young people, mostly university students, who are interested in the Internet, security and other computer related topics". Unfortunately, while the group clearly has some understanding of technical security issues, they appear not to have grasped the commonly-accepted ethical principles of the information security business.
After testing Outpost Firewall Pro 4.0, Mr Matousek contacted Agnitum and suggested that we pay for a report on the issues (http://www.matousec.com/purchase.php) he discovered in Outpost Firewall. In our opinion, this is tantamount to blackmail, and so we declined to pay.It is a generally accepted principle in the security community that, when a software vulnerability is discovered, the discoverer contacts the vendor and freely provides them with sufficient information to enable them to identify and repair that vulnerability. We were therefore taken by surprise when Mr Matousek took it upon himself to publish details of the Outpost vulnerability without giving us the wherewithal to address the issue directly and protect our customers.
This would seem to be in direct contravention of the group’s claim that their goal is to improve end-user securityMoreover it is a breach of common industry practices such as those cited at:
- Rain Forest Puppy, "Full Disclosure Policy (RFPolicy) v2.0"
- CERT/CC Vulnerability Disclosure Policy,
- Organization for Internet Safety. "Guidelines for Security Vulnerability Reporting and Response, Version 2.0"
Second, Matousec tested Outpost only after he first modified the sandbox.sys module in Outpost (BTP00003P004AO.zip). This is a violation of the End-User-License-Agreement (EULA) and International Copyright Treaties.As for the vulnerability itself, yes, it may become a risk if the user is logged in with administrative privileges and launches an unknown application that is actually a malicious script. But in this case, the user would be vulnerable no matter what security programs that user is running as intruders can use this type of code to perform almost any kind of malicious activity on a victim’s computer.
In any case, I would just like to re-emphasize that we take the security of our end users extremely seriously, and a bug-fix release dealing with this issue will be issued within the next two weeks.
President & CEO, Agnitum Ltd.